LulzSec: Not Robin Hood, more like Bonnie and Clyde

By William Jackson

Jun 27, 2011

This article has been updated from its original form to include LulzSec's announcement that it is disbanding.

The arrest last week in England of alleged LulzSec hacker Ryan Cleary did not immediately slow the organization (or disorganization) that likes to think of itself as some kind of anarchist front. Late on June 23, the group claimed responsibility for breaking into e-mail accounts of the Maricopa County, Ariz., Sheriff’s Office through its public website and stealing data.

But on June 25, the group suddenly announced on its Twitter feed that it is disbanding, the Associated Press reported. Whether this is the last we'll hear from this particular group — LulzSec didn't give a reason, but the attention it's getting from the FBI, other law enforcement agencies and other hackers just might have something to do with it — its ability to embarrass government and corporate organizations should serve as a warning.

Like the others before it, the Arizona incident says more about the victim than it does the perpetrators. LulzSec has claimed credit for a long list of smash-and-grab break-ins in its brief crime spree, and the hacks have mostly been commonly available, brute-force efforts that the victims should have been able to protect themselves against.

Shame on them for allowing themselves to become victims and for giving LulzSec anything to crow about.

We’re not talking about master criminals or good guys here. This isn’t Robin Hood. These guys are the cyber equivalent of Bonnie and Clyde, a pair of social misfits who received a lot of attention through their indiscriminate violence and who in reality were pretty inept as bank robbers and never gained the respect even of their outlaw contemporaries. It made for a good movie, but they were nothing to emulate.

Like those Southwestern bandits, LulzSec has thrived on publicity but accomplished little.

“Their Achilles heel is they want attention,” said Rob Rachwald, director of security strategy for the security firm Imperva. “I’m not sure they are intentionally self-destructive, but they are very pompous and cavalier.”

They are invincible — as long as nothing happens to them. “You don’t feel the heat until you get arrested,” Rachwald said.

That process has begun — and might not end just because LulzSec announced its dissolution. Not only are the police after them, but other hackers have turned on them as well, because their high-profile, smart-aleck attitude and penchant for theft is giving hacktivism a bad name.

But the attention LulzSec has generated is not all bad. “The positive part of it this is that it is forcing people to think really hard about their security posture,” Rachwald said. “It’s putting a focus on security.”

What LulzSec has been doing is not terribly sophisticated. As is so often the case, organizations are being breached and embarrassed because of inadequate security rather than because of the skill of the attackers.

There are sophisticated attackers out there, using sophisticated tools and exploits taking advantage of zero-day vulnerabilities to get through elaborate security. These are serious and deserve attention. But most of the breaches we see, including those from LulzSec, are the result of not having adequate defenses in place to protect against known threats.

Like the bad guys who don’t feel the heat until the police close in, systems administrators often don’t pay attention to a threat until they are attacked. The fact is, no one is immune from attack. If you already are high-profile, like the Senate or the CIA, that makes you an attractive target. If you do not already have a high profile, a successful attack will give you one.

In the end, security is about risk management. You cannot make yourself perfectly secure, but you should be able to achieve a level of security commensurate with the resources you are protecting. This would protect you against the efforts of egotistical wannabees such as LulzSec and deny them the attention they are seeking.

inside gcn

Reader Comments

Tue, Jun 28, 2011
Mike
KS

Government Employees Paper Tigers? That sounds just their new leader Owebama and that's working out just about the same. Gets an "A" on planning and an "F" on implimentation.

Tue, Jun 28, 2011
Glen
Ca

These hackers are nothing new or worse than any others we have been batteling over the years in the Private Sector. We are simply more prepared than our Government counterparts. I have been managing Networks for about 20 years but could Never get one of the cushy Govt jobs because I didnt have all of the degrees they want. This once again just proves that our Govt workers are a bunch of "paper tigers" and just couldnt cut it in the Private Sector.

Tue, Jun 28, 2011
Dave

Ivan, "pompous and cavalier" certainly does apply to them, though you are correct in saying it probably applies to their targets as well. However, to label them "greyhats" makes them seem innocuous. I suspect that their 'poking around for laughs' would soon descend into 'minor theft' since those who they target would be too "pompous and cavalier" to notice and would "deserve" the punishment of the theft. A proper grey hat would inform the target of how the breach was made quietly and not boast about it. Harmless mischief is often a gateway to harmful mischief.

Mon, Jun 27, 2011
Ivan Durakov

Sounds like the description "pompous and cavalier" would better apply to those caught with their drawers down and whose capacity for competent response is limited to self-righteous indignation, rather than the greyhats.
They did you a favor, now learn from it...

Sun, Jun 26, 2011
Technology News Blog
http://blofair.com

Very much helpful topic sir,
i like that and i want to say that i am totally agree with you.

Please post your comments here. Comments are moderated, so they may not appear immediately
after submitting. We will not post comments that we consider abusive or off-topic.